[dns-operations] Question regarding DNS query logging

Colm MacCárthaigh colm at stdlib.net
Tue Mar 15 00:13:59 UTC 2011 

For a recursive service, it's probably prudent to consider the
implications for user privacy, and any relevant jurisdictional or
legal data protection issues which arise, before doing this.

In some jurisdictions, data protection commissioners, and other
regulators, have made it clear that it can be considered a breach of
relevant acts.

On Mon, Mar 14, 2011 at 4:51 PM, Michael Skurka <Michael.Skurka at lcra.org> wrote:
> Excellent points!
>
> I would love to turn on tcpdump/snoop and capture the queries _and_ responses.  And storage space isn't the big obstacle for me.  Unfortunately, to capture queries/responses would involve purchasing hardware to monitor several switched network segments.  Why?  Due to security requirements, I/we can't implement a single host with multiple NICs to do the capturing.  That solution will have to wait until we have some sort of budget.
>
> At the moment, I'm having to battle management to get any visibility into our DNS servers.  Turning on query logging is the least-cost overall at the moment (CPU, network, storage, admin resources).
>
> Thanks for the ideas.  I will keep pushing for a better solution.
>
>
> Michael Skurka
> Information Security Analyst Sr
> Lower Colorado River Authority, Austin TX
> 512-498-1643
> Orwell was an optimist!
>
>
> -----Original Message-----
> From: Crist Clark [mailto:Crist.Clark at globalstar.com]
> Sent: Monday, March 14, 2011 6:31 PM
> To: Michael Skurka; dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] Question regarding DNS query logging
>
>>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
>> I'm an Information Security Analyst for an energy company here in central
>> Texas.  To date, we've not logged any of our DNS queries.  We're interested
>> in "opening the fire hose" to do some analysis (pretty graphs for management
>> and looking for potential threats, i.e. malware trying to "phone home").
>>
>> We have about 2500 internal workstations and servers that hit our internal
>> DNS servers.  Our external-facing DNS is done off-site and we aren't concerned
>> with them at the moment.
>>
>> Does anyone in a similar sized company have any estimates (a rough ballpark
>> is fine) how much data we'd be looking at collecting on a weekly or monthly
>> basis?
>
> Most of the suggestions so far seem to be query logging at
> the DNS server itself.
>
> I'd just say to consider packet captures as a viable option.
> Just running tcpdump or snoop on the DNS server itself will
> probably have less impact than query logging and running it
> on another system has no impact.
>
> The thing about query logging is that it does save the queries,
> but you generally don't see the responses, and that can be of
> the upmost importance if you are doing forensics.
>
> As far as storage space for all of this, Storage Is Cheap(tm)
> (except when it isn't). Second, you'll probably save space on
> logging the actual queries, but the fact you get responses,
> which tend to be bigger, occasionally much, much bigger, may
> mean more space overall.
>
> There are also special tools to reduce and/or analyze DNS
> network captures. I personally don't have experience with
> many, but searching list archives should turn these up. They
> have been discussed recently.
> --
>
> Crist Clark
> Network Security Specialist, Information Systems
> Globalstar
> 408 933 4387
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>



-- 
Colm

More information about the dns-operations mailing list